What should password managers not do? Leak your passwords? What a great idea, LastPass

Critical bugs found in Chrome, Firefox add-ons


Updated Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases.

The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google's crack Project Zero security team. He found that the LastPass Chrome extension has an exploitable content script that evil webpages can attack to extract usernames and passwords.

LastPass works by storing your passwords in the cloud. It provides browser extensions that connect to your LastPass account and automatically fill out your saved login details when you surf to your favorite sites.

However, due to the discovered vulnerabilities, simply browsing a malicious website is enough to hand over all your LastPass passphrases to strangers. The weak LastPass script uncovered by Ormandy can be tricked into granting access to the manager's internal mechanisms, which is rather bad news.

The script can also be abused to execute commands on the victim's computer – Ormandy demonstrated this by running calc.exe simply by opening a webpage. A malicious website could exploit this hole to drop malware on a visiting machine. A victim must have the binary component of LastPass installed to be vulnerable to this attack.

"This script will proxy unauthenticated window messages to the extension. This is clearly a mistake," Ormandy explained in a bug report today.

"This allows complete access to internal privileged LastPass RPC [remote procedure call] commands. There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."

All that's needed to exploit the vulnerability are two simple lines of JavaScript code, which Ormandy supplied:

win = window.open("https://1min-ui-prod.service.lastpass.com/");
win.postMessage({}, "*");

The password manager developer has experience with Ormandy after he found another flaw in its code last year that could compromise a punter's passwords just by visiting the wrong website.

"We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement," Joe Siegrist, cofounder and VP of LastPass, told The Register.

"We have made our LastPass community aware of the report made by Tavis Ormandy and have confirmed that the vulnerabilities have been fixed. We were notified early on – our team worked directly with Tavis to verify the report made, and worked quickly to issue the fix. As always, we recommend that users keep their software updated to the latest versions."

It appears LastPass's fix for the Chrome extension issue was to quickly disable 1min-ui-prod.service.lastpass.com – although some say the server is still working for them, so they are still vulnerable. That LastPass backend system resolves to 23.72.215.179 for us right now, and is still up.

It's probably best to disable the Chrome extension until a version newer than 4.1.42, dated March 14, is sent out with an actual working fix.

And now its Firefox add-on

It has been a busy weekend for LastPass software engineers. Late last week, Ormandy found another LastPass vulnerability, this time in its Firefox extension. Again, the vulnerability can be exploited by malicious webpages to extract passwords from the manager.

That extension bug has been addressed, we're told, but the security patch won't be pushed out to people until the update is approved by Firefox-maker Mozilla. "The team has already issued a patch to fix [version] 3.3.2 and that updated version is currently in the Mozilla review process," a LastPass spokeswoman told us. She also said the 3.x branch of the add-on is being retired, and people should move onto the version 4.x family.

As we've said in the past, keep your password managers up to date. They're like any other software, and all software is exploitable. If you're a LastPass user, disable your Chrome and Firefox extensions until a fix is definitely available. ®

Stop press: Ormandy has found another password-leaking bug in LastPass for Firefox 4.1.35. That'll need patching, too. Or just dump LostPass and find other manager.

Updated to add on March 22

LastPass has put out an "incident report" that insists its browser extensions have been patched to squash the above reported bugs, and these builds are being pushed to users: check to see if you're running the latest version of LastPass on your computer, and update your extension if the software hasn't automatically fixed itself. LastPass has also made server-side changes to close the security holes.

You should be using LastPass version 4.1.36 with Firefox, 4.1.43.82 with Chrome, 4.1.30 with Edge, and 4.1.28 with Opera. Note that the add-on maker is waiting for Microsoft and Opera to approve the updates from their browser extension stores, so the new builds may or may not be there right this second for those particular platforms. Check back later if they are not.

"Our investigation to date has not indicated that any sensitive user data was lost or compromised," LastPass added. "Our mobile apps for Android and iOS were not affected. No master password change is required. No site credential passwords need to be changed."

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021